<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span> changed
<a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - nft masquerade commands make table nat unreadable by iptables-nft"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1748">bug 1748</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Status</td>
<td>NEW
</td>
<td>RESOLVED
</td>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>phil@nwl.cc
</td>
</tr>
<tr>
<td style="text-align:right;">Resolution</td>
<td>---
</td>
<td>INVALID
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - nft masquerade commands make table nat unreadable by iptables-nft"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1748#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - nft masquerade commands make table nat unreadable by iptables-nft"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1748">bug 1748</a>
from <span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span></b>
<pre>Hi,
(In reply to Thomas Schlien from <a href="show_bug.cgi?id=1748#c0">comment #0</a>)
<span class="quote">> If I inject a masquerade rule into the nat table by nft I cannot read the
> table with iptables-nft (git hash 8bf2bab8eb2e4f5ae2fef859ea7c877662854101
> and also older versions like 1.8.9) anymore till I delete this single rule
> with nft
> tool.</span >
This is expected behaviour. You should not mix iptables-nft and nft tools when
manipulating the ruleset. Doing so is a good way to shoot one's foot (as you
did).
<span class="quote">> E.g. if I put the below configuration into file postrouting.nft and inject it
> via `nft -f postrouting.nft`:
> table ip nat {
> chain POSTROUTING {
> oifname != "br-mailcow" ip saddr 172.22.1.0/24 masquerade
> }
> }
>
> `iptables -t nat -L` than tells me `iptables v1.8.10 (nf_tables): table
> `nat' is incompatible, use 'nft' tool.` If I inject the same rule with
> iptables-nft, everything is working fine. I was able to fix this behavior by
> this patch to iptables, but I am pretty sure that this is not the right way
> to do it:
>
> diff --git a/iptables/nft.c b/iptables/nft.c
> index 884cc77e..a7086014 100644
> --- a/iptables/nft.c
> +++ b/iptables/nft.c
> @@ -3931,6 +3931,7 @@ static const char *supported_exprs[] = {
> "immediate",
> "lookup",
> "range",
> + "masq",
> };</span >
This will merely accept the unsupported expression in the rule but the output
is likely incomplete (or even broken).
<span class="quote">> In my further debugging I found that the rule injected by iptables seems to
> have "target" as expression instead of "masq", but this only as a hint for
> someone who really knows the code. ;-)</span >
For NAT rules, iptables-nft uses xtables extensions (xt_MASQUERADE.ko) while
nft uses its native code (nft_masq.ko). There are "compat" nftables expressions
named "match" and "target" to call xtables extensions from an nftables rule.
<span class="quote">> Yesterday morning this "bug" caused a severe problem as libvirt was not able
> to read the nat table anymore because I used some nft commands before to
> insert some masquerading rules. This also may affect others who update their
> libvirt in, e.g., Ubuntu, and have inserted masquerading rules in the nat
> table via `nft`.</span >
Starting with v1.0.6, nft even warns when listing a ruleset which contains the
compat expressions mentioned above.
Cheers, Phil</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>